the near future: the latest about the next few months.
Working from Home Sharpens Focus on Cyber Training (National Defense) The COVID-19 pandemic has forced the military to put a renewed emphasis on cyber training as servicemembers increase their use of teleworking.
The Dawn of the New Internet Era: More Speed, More Devices, but Infrastructure is Lagging Behind (AutoMobilSport) Increased use of internet services, broader application of IoT devices, and COVID-related shift to remote work are just a few factors, accelerating the transition to the new era of the Internet
Group-IB Reveals Its Cyberthreat Forecast for the Coming Year (PR Newswire) Group-IB, a global threat hunting and intelligence company, has presented its annual Hi-Tech Crime Trends 2020/2021 report. In the report, the...
Group-IB annual report on trends and forecasts in cyberthreat landscape (Group-IB) Source of strategic data on the global cyber threat landscape and forecasts for its development
Scams, safety, and shopping sense. (The CyberWire) We've received a great deal of advice about safe shopping (and safe giving) during the holiday season. As we get ready for Thanksgiving, we thought we'd share some of the insights experts in government and industry have offered.
Cyber Attacks, Threats, and Vulnerabilities
Russian Influence Peddlers Carving Out New Audiences on Fringes (Voice of America) After four years of warnings and preparations, the 2020 presidential election did not see a repeat of 2016, when intelligence officials concluded Russia meddled using a combination of cyberattacks and influence operations.
COVIDSafe data 'incidentally' collected by intelligence agencies in first six months (iTnews) But not decrypted, access or used, IGIS says.
Peatix Braces Users for Follow-On Attacks After Breach (Infosecurity Magazine) Events firm not clear how strong password encryption was
Post Breach, Peatix Data Reportedly Found on Instagram, Telegram (Threatpost) Events application Peatix this week disclosed a data breach, after user account information reportedly began circulating on Instagram and Telegram.
User data stolen from event organizing service Peatix offered for sale online (SiliconANGLE) User data stolen from event organizing service Peatix offered for sale online - SiliconANGLE
Updated Trickbot Malware Is More Resilient (BankInfo Security) trickbot, Trojan, Microsoft, election. bank information security
One-third of gamers suffered online gaming account hack (Atlas VPN) According to the data presented by the Atlas VPN team, 38% of gamers have been hacked at least once in the past while playing computer games.
Gift card hack exposed – you pay, they play (Naked Security) These crooks hacked into a network hoping to get everyone in the company to buy them gift cards.
Cyber attack: No customer or staff data stolen, Flagship Group says (BBC News) Flagship Group says its IT systems are now "in a stage of carefully controlled recovery".
Australian legal services provider hit with cyber attack (Insurance Business) Digital services firm forced to halt much of its operations after the incident at the weekend
Illinois Valley Community College sends letter warning of data breach (News Tribune) President: There's nothing good that comes out of this
Baltimore County Public Schools hit by ransomware cyber attack, officials say (Baltimore Sun) The Baltimore County Public Schools system was hit with a ransomware cyber attack, shutting down all network systems, officials said Wednesday.
Fuji Electric V-Server Lite (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Low skill level to exploit
Vendor: Fuji Electric
Equipment: V-Server Lite
Vulnerability: Out-of-bounds Write
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow for remote code execution on the device.
Rockwell Automation FactoryTalk Linx (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/Low skill level to exploit
Vendor: Rockwell Automation
Equipment: FactoryTalk Linx
Vulnerabilities: Improper Input Validation, Heap-based Buffer Overflow
2.
'Hello Greta!': Justin Trudeau 'fields call from pranksters' (BBC News) Pranksters posing as the climate activist told the Canadian PM to "drop your weapons, pick flowers".
Security Patches, Mitigations, and Software Updates
UK urges orgs to patch critical MobileIron CVE-2020-15505 RCE bug (BleepingComputer) The UK National Cyber Security Centre (NCSC) issued an alert yesterday, prompting all organizations to patch the critical CVE-2020-15505 remote code execution (RCE) vulnerability in MobileIron mobile device management (MDM) systems.
Cyber Trends
Bolster’s Q2 and Q3 2020 State of Phishing and Online Fraud Report:
Cybersecurity Facing a Scale Crisis with more than 18,000 Scam Sites Created Daily
(BusinessWire) Bolster, a deep learning-powered fraud prevention company protecting the world's leading brands from counterfeit activity, today released its Q2 and Q
Cyber attacks reach a record high, Cert NZ report shows (Stuff) Cyber attacks circulated by email pose the greatest threat to New Zealand's cyber safety, according to a government agency's latest report.
Cyber insurance: Most frequent and costly claims revealed (Canadian Underwriter) External attacks on companies result in the most expensive cyber insurance losses, but internal failures like employee mistakes and technical problems are the most frequent generator of claims by number (albeit with a lower financial impact), a new report says.…
Millennials lose $300 per fraud while elderly lose 4x more (Atlas VPN) According to Atlas VPN findings based on official FTC records, Millennials lose between $300 and $205 per fraud case, while elderly people lose up to $1,200.
Marketplace
Acronis Acquires CyberLynx to Enhance Cyber Protection Portfolio (Solutions Review) Acronis recently announced the acquisition of CyberLynx, a leading Israel-based cyber-security consultancy firm with a presence in the UK, Switzerland, and Luxembourg. This acquisition is Acronis’ …
Splunk expands its observability capabilities with the acquisition of Flowmill (Help Net Security) Splunk announced it has signed a definitive agreement to acquire Flowmill, a Palo-Alto based cloud network observability company.
Jacobs Acquires Cyber and Intelligence Leader The Buffalo Group (PR Newswire) Jacobs (NYSE:J) announces it has acquired The Buffalo Group, a leader in advanced cyber and intelligence solutions, further strengthening...
What Jacobs found in its Buffalo Group deal (Washington Technology) Jacobs sees its now-closed acquisition of The Buffalo Group as another step in becoming a more formidable cyber and intelligence market competitor.
FireEye (FEYE) Expands Mandiant Capability With Respond Buyout (Yahoo Finance) FireEye's (FEYE) recent acquisition of Respond Software and the $400-million investment deal with Blackstone and ClearSky bode well for its expansion plans.
FireEye Announces Acquisition of Respond Software (FireEye) The Respond Software XDR engine to be integrated into Mandiant Advantage, bringing cloud-native AI together with Mandiant intelligence and expertise to automate the investigation of alerts
NOAA moves on $2.1B IT modernization pact awards (Washington Technology) With all protests now in the rear view, the National Oceanic and Atmospheric Administration makes awards for a $2.1 billion IT systems modernization blanket purchase agreement.
VMware tops Q3 estimates, raises fiscal year guidance (ZDNet) The company reported Q3 revenue of $2.86 billion, up 8% from a year ago.
1 in 5 Fortune 500 companies still use risky Chinese tech after U.S. ban (Fortune) Many I.T. networks across corporate America contain equipment from Huawei, ZTE, and other blacklisted Chinese firms.
Microsoft announces investments to accelerate Sweden’s digital transformation and plans to open its sustainable datacenter region in 2021 (Microsoft News Centre Europe) Microsoft will open its world-class, sustainable datacenter region in 2021 with 100 percent renewable energy, continue investing in local communities and skilling for up to 150,000 Swedes
Facebook Struggles to Balance Civility and Growth (New York Times) Employees and executives are battling over how to reduce misinformation and hate speech without hurting the company’s bottom line.
Twitter to relaunch account verifications in early 2021, asks for feedback on policy (TechCrunch) Twitter announced today it’s planning to relaunch its verification system in 2021, and will now begin the process of soliciting public feedback on the new policy ahead of its implementation. Under the policy, Twitter will initially verify six types of accounts, including those belonging to go…
YouTube temporarily suspends, demonetizes OANN (Axios) The Google-owned platform took action over a video falsely promoting a COVID-19 cure.
The Boston Globe Names Recorded Future a Top Place to Work for 2020 (PR Newswire) Recorded Future, the largest security intelligence provider, today announced it has been named one of the Top Places to Work in Massachusetts...
Symantec Head Art Gilliland Out One Year After Broadcom Deal (CRN) Top executive Art Gilliland has departed after leading Symantec through its tumultuous $10.7 billion sale to Broadcom, the latest blow to what was once the world’s largest pure-play cybersecurity vendor.
Products, Services, and Solutions
Ivanti Delivers Automation Between Service Management and SecOps on Ivanti Neurons Platform for Impr | Ivanti (Ivanti) Automation between Service Management and SecOps enables customers to improve security incident management, governance and compliance, and an organization’s overall security posture and responsiveness
CompTIA PenTest+ Approved by U.S. Department of Defense (CompTIA) Certification meets requirements for military personnel and defense contractors who work with sensitive information
Canonical Publishes Secure Container Application Images on Docker Hub (SecurityWeek) Canonical has published hardened LTS container images on Docker Hub, promising up to 10 years of security maintenance
Ethereum 2.0’s Genesis Day Is Officially Set for Dec. 1 (CoinDesk) The biggest update in Ethereum’s history will officially begin its first phase on December 1 when the Ethereum 2.0 Beacon chain goes live.
Fasoo Data Protection Platform Chosen For AITE’s Impact Brief on Data Discovery, Classification and Protection (EIN News) Fasoo, Inc., a global leader in data security, today announced that it has been chosen for the Case Study in AITE’s recently published Impact Brief, "Sensitive Data Everywhere - Find It, Manage It, and Protect It", that identifies technical innovations related to data discovery, classification and protection.
Technologies, Techniques, and Standards
Threat Intelligence is Essential for Agencies to Combat Dark Web Threats (Meritalk) The dark web has long provided a safe haven for cybercriminals to plot illicit activities, often with huge implications for the government. To stay ahead of cybercriminals, Federal agencies have to investigate threats and emerging adversaries on their networks – but that is easier said than done.
Identity a cornerstone of effective fraud – and its prevention (Blue Notes) Just as major organisations are adapting to new technologies, so too are the fraudsters using data to drive illicit activities.
The Changing Face of OT Security (SecurityWeek) In lock step with digital transformation projects, organizations are adopting the best practice of centralizing responsibility and accountability for securing the OT environment with the CISO.
Why Zero Trust Network Access Beats Virtual Private Networks for Security (CMSWire) Virtual private networks are inadequate for the security needs of the modern connected enterprise. Here's why Zero Trust is in organizations' best interest.
Can Cyber Hygiene Lead to a Cyber Secure Attitude? (Infosecurity Magazine) If more people are cyber hygienic than not, then a positive cybersecurity culture emerges
Research and Development
Information Security Forum Explores Human-Centred Security in Latest Research (PRLog) Information Security Forum Explores Human-Centred Security in Latest Research. The information security industry is playing catch-up when it comes to positively influencing behavior – the proliferation of remote working arrangements, exacerbated by the stress associated with the pandemic, has underlined the importance of... - PR12847922
Academia
Five Tips To Avoid Cyberattacks On Edtech Platforms (BW Education) Professional Education-With more students turning to online learning than ever, these platforms have emerged as a lucrative target for cybercriminals.
Legislation, Policy, and Regulation
Joint Statement on Data Protection and Privacy in the COVID-19 Response (United Nations) The COVID-19 pandemic has become a global emergency, with devastating consequences in terms of loss of life and economic decline, and significantly hampering progress toward achieving the United Nations Sustainable Development Goals. Poor and vulnerable communities are particularly imperiled by this deadly disease and its economic ramifications.
Canada’s Proposed Privacy Overhaul Leans Toward European-Style Rules (Wall Street Journal) Legislation comes as the EU reviews Canadian protections for data transfers.
UK companies face £1.6 billion in extra costs without EU data sharing agreement (Computing) The average compliance cost is estimated to be £10,000 for small firms and over £160,000 for large businesses
UK Telecom Companies Face Big Fines Under New Security Law (SecurityWeek) Telecom companies in Britain face hefty fines if they don’t comply with strict new security rules under a new law proposed in Parliament that is aimed at blocking high-risk equipment suppliers like China’s Huawei.
UK's Huawei bill proposes stiff fines for companies that violate ban (CyberScoop) The U.K. government is proposing big penalties for companies that fail to comply with telecommunications security requirements aimed at keeping technology from Huawei out of the country’s new high-speed networks. Legislation proposed Tuesday by Prime Minister Boris Johnson’s government would levy fines of as much as 100,000 pounds ($134,000) per day if companies don’t meet deadlines for new security requirements.
India bans 43 more Chinese apps over cybersecurity concerns (TechCrunch) India is not done banning Chinese apps. The world’s second-largest internet market, which has banned more than 175 apps with links to the neighboring nation in recent months, said on Tuesday it was banning an additional 43 such apps. Like with the previous orders, India cited cybersecurity concerns…
The Cybersecurity 202: China is likely to be Biden’s biggest cybersecurity challenge (Washington Post) China is shaping up to be the Biden administration’s biggest cybersecurity headache.
The FCC rejects ZTE’s petition to stop designating it a “national security threat” (TechCrunch) The Federal Communications Commission has rejected ZTE’s petition to remove its designation as a “national security threat.” This means that American companies will continue to be barred from using the FCC’s $8.3 billion Universal Service Fund to buy equipment and services from ZT…
ZTE Corp.’s Designation as Security Threat Affirmed by U.S. FCC (Bloomberg) Airwaves regulator shows continued tilt against ZTE and Huawei. FCC contemplating formalizing rules to single out suspect gear.
Senate proposes $58M boost to CISA's budget to clear out risk assessment backlog (FCW) The Senate Appropriations Committee's bill would aim to help CISA reduce an ongoing backlog of vulnerability assessments requested by state and local agencies.
IoT Cybersecurity Act 2020 | ReFirm Labs (ReFirm Labs) Last week the US Senate unanimously approved the IoT Cybersecurity Improvement Act of 2020. Here's why it's important.
Space Cybersecurity in the Age of Defending Forward (Lawfare) A recent policy directive detailing the United States’s cybersecurity principles for “space systems” raises important questions concerning U.S. legal obligations in space under international law.
Watchdog says Pentagon's effort to 'harmonize' cyber is lacking (FCW) A new Government Accountability Office report says the Pentagon's architecture to unify its cyber efforts lacks governance structure and goals.
Defense Official Calls Cyber Resilience Critical to Protecting Systems, Continuing the Mission (U.S. Department of Defense) While the U.S. and its allies work diligently to defend against malicious and destabilizing activities in cyberspace, those defenses may not be robust enough and adversaries are taking advantage, a
Trump grants Biden access to presidential intel (POLITICO) The president had refused to loop his successor into the briefs as he challenged the outcome of the election.
FTC's Zoom Deal Signals New Data Security Plan Under Dems (Law360) The Federal Trade Commission's two Democrats offered a detailed strategy for boosting the agency's data security and privacy enforcement approach in an objection to a recent nonmonetary settlement against Zoom, laying out a plan that could soon come to fruition as their party readies to take the helm of the agency next year.
US Air Force to reorganize network, security groups under single entity (C4ISRNET) The 688th Cyberspace Wing is combining three of its groups to create a network and security operations center.
Democrats press Facebook, Twitter on misinformation efforts ahead of Georgia runoff (TheHill) Democratic senators on Tuesday pressed Facebook and Twitter over measures the social media giants are taking to combat election misinformation ahead of the Georgia Senate runoffs that will decide party control of th
U.S. senators urge Facebook, Twitter for tighter checks before Georgia runoff election (Reuters) U.S. Senator Richard Blumenthal on Tuesday called on the heads of Facebook and Twitter for information on steps the social media firms are taking to prevent the spread of misinformation ahead of the runoff U.S. Senate elections in Georgia.
Litigation, Investigation, and Law Enforcement
Baltimore already had a witness intimidation problem. Now it’s moved to extortion accounts on Instagram. (Baltimore Sun) Almost two decades after the “Stop Snitching” street DVD jolted Baltimore officials about the problem of witness intimidation, a series of recent cases makes clear the practice continues and has evolved, exploiting social media and mobile technology.
Calls grow for UK competition watchdog to block Google's Privacy Sandbox (Computing) A group of companies has warned that Google's Privacy Sandbox would cut publishers' revenues by as much as two-thirds
ADA Foundation data included in Blackbaud incident (ADA Foundation) The ADA Foundation was among the nonprofit entities whose data was included in a data breach reported by Blackbaud, one of the Foundation’s former service providers. Blackbaud assured the Foundation that sensitive information such as social security numbers and credit card numbers were protected by encryption and was not breached.
Home Depot agrees to $17.5m settlement in 2014 data breach (Washington Post) Home Depot has reached a $17.5 million settlement with the attorney generals of 46 states and the District of Columbia over a 2014 data breach that exposed the payment card information of some 40 million customers.
State gets $188,000 in Home Depot data breach deal (ABC 36 News) Home Depot agrees to take steps to prevent future problems.
NJ gets $579K from Home Depot over data breach that compromised data of millions (NJBIZ) The award resolves allegations the retailer had insufficient security measures in place that compromised the personal information of millions in 2014.
Colorado secures settlement from The Home Depot over consumer data breach (The Denver Post) Colorado is among the 46 states and the District of Columbia that have secured a $17.5 million settlement from The Home Depot following a data breach that exposed credit card information of about 4…
Hoosiers Have Until Dec. 16 To File Claim For Equifax Data Breach Settlement (WBOI) Nearly 4 million Hoosiers could be eligible for money from credit bureau Equifax after a 2017 data breach – but they have until Dec. 16 to file a claim.
Amazon Will Conduct Counterfeit Inspections With U.S. Agency (Bloomberg) Company partners with U.S. intellectual property center. Counterfeits a sore spot for shoppers, brands on Amazon.
Kansas Atty Suspended After Copping To Role In Cyberattacks (Law360) Oklahoma's highest state court on Tuesday suspended for over two years a Kansas personal injury lawyer who pled guilty last year to knowing about cyberattacks waged on his behalf against Leagle.com and others.
Netanyahu tells convicted American spy: ‘We’re waiting for you’ (Navy Times) Jonathan Pollard, a former analyst for the U.S. Navy convicted of spying for Israel, completed his parole and is cleared to move to Israel.